Critical React2Shell Vulnerability Exploited in IT Sector Attacks
A critical security flaw, identified as CVE-2025-55182 and commonly referred to as React2Shell, has been actively exploited by cyber attackers targeting the insurance, e-commerce, and IT sectors. This vulnerability resides in the Flight protocol of React Server Components (RSC), facilitating unauthorized code execution on susceptible servers.
Understanding React2Shell (CVE-2025-55182)
React2Shell is a severe remote code execution (RCE) vulnerability affecting React versions 19.0.0 through 19.2.0, as well as frameworks like Next.js versions 15.x and 16.x that utilize React Server Components. The flaw stems from unsafe deserialization within the Flight protocol, which manages client-server communication. By exploiting this weakness, attackers can execute arbitrary commands on the server without authentication. The vulnerability has been assigned a maximum severity score of CVSS 10.0, indicating its critical nature. ([sonicwall.com](https://www.sonicwall.com/blog/react2shell-cve-2025-55182-critical-unauthenticated-rce?utm_source=openai))
Rapid Exploitation by Threat Actors
Following the public disclosure of React2Shell on December 3, 2025, multiple threat groups, including those with ties to China, such as Earth Lamia and Jackpot Panda, began exploiting the vulnerability within hours. These groups have been observed conducting mass scanning and automated attacks against internet-facing servers running vulnerable versions of React and Next.js. ([aws.amazon.com](https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/?utm_source=openai))
Malware Deployment and Attack Mechanisms
Attackers have leveraged React2Shell to deploy various malware strains, including cryptocurrency miners like XMRig, botnets such as Kaiji and RustoBot, and remote access tools like CrossC2 implants, Tactical RMM, VShell backdoors, and EtherRAT trojans. The attack chain typically involves:
1. Initial Exploitation: Attackers send crafted HTTP POST requests to vulnerable RSC endpoints, triggering arbitrary JavaScript execution on the server. ([hunt.io](https://hunt.io/blog/react2shell-cve-2025-55182-nextjs-nodejs-rce?utm_source=openai))
2. Payload Delivery: Malicious scripts are downloaded and executed, often using Bash scripts like `wocaosinm.sh` to deploy architecture-specific ELF executables identified as the Kaiji botnet. This botnet performs DDoS attacks and establishes persistence through systemd services, crontab tasks, and modified system utilities.
3. Persistence and Evasion: Scripts such as `setup2.sh` install XMRig miners, while `alive.sh` terminates processes consuming significant CPU resources, except for the miner itself and other whitelisted processes. Attackers also use DNS tunneling through tools like `nslookup` to exfiltrate command execution results, sending information to external domains using encoded subdomain queries.
Technical Details of the Vulnerability
The React2Shell vulnerability arises from how the React Flight protocol handles streamed data between the server and client. During deserialization, the framework resolves references between data chunks. The flaw lies in how React handles the `__proto__` property during this process. By injecting malicious chunk references, an attacker can:
– Overwrite prototype methods during deserialization.
– Manipulate `.then()` behavior.
– Trigger the JavaScript Function constructor.
– Execute arbitrary code remotely and without authentication.
Only a single crafted HTTP request is needed to exploit this vulnerability. ([hackthebox.com](https://www.hackthebox.com/blog/react2shell-cve-2025-55182-threat-spotlight?utm_source=openai))
Affected Versions and Immediate Actions
The following versions are affected by React2Shell:
– React Server Components: Versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0.
– Next.js App Router: Versions 14.x Canary Builds, 15.x, and 16.x (from 16.0.0 up to 16.0.7, excluding 16.0.7).
To mitigate the risk, organizations should:
1. Update React and Next.js: Upgrade to React versions 19.0.1, 19.1.2, or 19.2.1, and apply corresponding Next.js patch releases. ([sonicwall.com](https://www.sonicwall.com/blog/react2shell-cve-2025-55182-critical-unauthenticated-rce?utm_source=openai))
2. Assess Systems for Compromise: Investigate for signs of exploitation, such as unauthorized processes or unusual network activity.
3. Restrict Experimental Features: Disable experimental React Server Components features in production environments unless they are covered by current security patches.
4. Monitor for Indicators of Compromise (IoCs): Stay vigilant for known IoCs associated with React2Shell exploitation.
Conclusion
The React2Shell vulnerability underscores the critical importance of prompt patching and vigilant monitoring in the face of rapidly evolving cyber threats. Organizations utilizing React Server Components or related frameworks must take immediate action to secure their systems against this actively exploited flaw.
